The SBOM will bring us together
Illustration: Christopher T. Fong/Protocol

The SBOM will bring us together

Protocol Enterprise

Hello, and welcome to Protocol Enterprise! Today: why calls for greater software transparency might help improve security and might create a lot of work, the most carbon-heavy data center regions and this week in enterprise moves.

What’s in your software?

Hey, remember the mad scramble by cybersecurity teams in the wake of the critical Log4Shell vulnerability last December?

If so, then you're probably well aware of the security risks of the software supply chain — and also that there's no easy fix.

  • But many in the security community are optimistic that improved transparency into software components, through the use of what's called a "software bill of materials," will help a lot.
  • An SBOM is just a text file that lists the components used to build a piece of software, often compared to an ingredients list on a package of food.
  • SBOMs could have a range of applications for reducing cyber risk, proponents say. The most commonly cited use is to help a customer quickly pinpoint where they're running vulnerable software components — particularly open-source components.

However, the software tools needed to analyze SBOMs in bulk and glean insights from the data largely do not exist yet.

  • And at least in the initial stage, an SBOM won't be automatically correlated with vulnerability information either.
  • More tools for making practical use of SBOMs are expected to arrive once more SBOM data is produced.
  • That will likely be spurred, at least in the beginning, by the federal government and its tens of billions of dollars in annual IT spending.

Ever since President Biden's executive order in May 2021, which established SBOM as an important initiative for national cybersecurity, many software companies have been expecting SBOMs to eventually become a requirement in federal contracts.

  • The White House's Office of Management and Budget is likely to soon issue a memo to federal agencies detailing how to go about including SBOMs in the contracting process, cybersecurity policy watchers told me.
  • At this point, numerous commercial and open-source tools now exist for generating SBOMs, the basics of the concept are "reasonably well understood," according to Allan Friedman, who heads the SBOM initiative at CISA.
  • And while SBOM will need time to fully mature, the important thing is to get started with what’s ready now and build from here, Friedman told me.

"To go from security [where software] is a black box to thinking about the broader supply chain — that takes a while, especially in the federal government," he said. "But it is a priority."

Read the full story here.

— Kyle Alspach (email | twitter)

Sponsored content from DataRobot

DataRobot's AI Cloud for Financial Services Unlocks the Art of the Possible: DataRobot continues to attract clients in financial services who want to de-risk their AI investments and rapidly scale AI to almost every part of their operations, resulting in improved productivity and higher customer satisfaction.

Read more from DataRobot

A clean cloud may be hard to find

Cirrus Nexus set out to recommend the regions with the least carbon-intensive data centers, in light of questions from its clients about where to locate workloads to minimize their climate toll. But, in the words of CEO and co-founder Chris Noble, there’s “not a simple answer.”

While regions that rely the most on solar, wind, hydro and nuclear power tend to have the lowest carbon intensity, that measure fluctuates dramatically; when the sun isn’t shining or the wind isn’t blowing, many regions turn to fossil fuels as a fallback. (Carbon intensity measures the amount of carbon dioxide emitted per unit of electricity generated.)

While places like California and France, which rely heavily on renewable and nuclear energy, respectively, tend to have the lowest carbon intensity, the nature of the energy transition made other regions hard to evaluate. Cirrus Nexus emphasized the importance of increasing energy storage in order to iron out these inconsistencies.

However, Noble said companies that buy cloud computing services historically have had a blindspot for the emissions tied to data center operations. Ultimately, he said the carbon intensity of cloud operations is a function of what customers demand. If they suddenly tell providers that they will go elsewhere unless the provider minimizes its carbon intensity, Noble said there could be a rush to bolster data centers with solar panels or storage.

— Lisa Martine Jenkins (email | twitter)

Enterprise moves

Over the past week American Airlines and Domo added new chief executives, Qualtrics and ServiceNow shook up their board of directors, and more.

Ganesh Jayaram is the new CIO of American Airlines. Jayaram was formerly CIO at John Deere.

Wendy Steinle joined Domo as chief marketing officer. Steinle formerly held senior marketing roles at Adobe.

Pradheepa Raman was named chief people officer at GlobalFoundries. Raman formerly held leadership roles in human resources at Samsung Electronics and Avaya.

Paul Hager joined Ingram Micro as VP of services for the U.S. Hager was formerly director of solutions for service provider Elevity IT.

Ali Salehpour, an SVP at Applied Materials, is leaving. Salehpour, who is retiring effective January 2023, led the company’s services, display and flexible technology group.

Robin Manherz was appointed to the Qualtrics board of directors. Manherz is currently chief operating officer of customer success at SAP.

Dennis Woodside is stepping down from the ServiceNow board of directors. Woodside is currently the president of Impossible Foods and was formerly COO at Dropbox.

— Aisha Counts (email | twitter)

Around the enterprise

The hackers that compromised Twilio cast their nets much wider than originally realized, successfully targeting more than 130 companies and organizations with the same attack.

Microsoft understands that cloud migrations are hard: It continues to make slow progress toward moving Office 365 and Microsoft 365 to Azure, according to ZDnet, a process that eventually will have lasted about a decade.

Workday beat Wall Street expectations for its second quarter and raised guidance for the upcoming quarter, another sign that enterprise software spending remains pretty steady for companies that are still growing.

Sponsored content from DataRobot

DataRobot's AI Cloud for Financial Services Unlocks the Art of the Possible: Banks need to secure a competitive advantage in an increasingly tight race to harness best-in-breed technology. Decision makers need to not just plan a future-ready strategy, but also recognize the value of AI that could boost not just their performance in-house but also their reputation among their global customers.

Read more from DataRobot

Thanks for reading — see you tomorrow!

Recent Issues